Reflected Cross-Site Scripting Vulnerability in Themify Builder Plugin for WordPress
CVE-2024-13319

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Themify Builder
Vendor: CVE Published:; 22 January 2025

Summary

The Themify Builder plugin for WordPress is susceptible to a reflected cross-site scripting vulnerability. This flaw arises from using the add_query_arg function without adequate escaping, allowing unauthenticated attackers to craft URLs that can inject arbitrary web scripts. If a user is misled into clicking on a manipulated link, the script will execute in the context of their session, potentially leading to unauthorized actions or data exposure. This vulnerability is present in all versions up to and including 7.6.5.

Affected Version(s)

Themify Builder * <= 7.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3224684/them...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 9, 2025

Credit

Colin Xu